Conventionally, peripheral devices that can each be connected to an information processing device such as a smartphone via an contactless interface such as Bluetooth (registered trademark) are known. In the Bluetooth standard, profiles that define protocols for respective types of devices have been established. If devices that are to communicate with each other have the same profile, communication using the function of the profile is allowed. For example, when the peripheral device is a keyboard, if both the peripheral device and the information processing device have a profile called HID (Human Interface Device Profile), connection can be established between the devices, which enables text entry and the like to the information processing device by use of the keyboard. For example, when the peripheral device is a headphone, if both the peripheral device and the information processing device have a profile called A2DP (Advanced Audio Distribution Profile), connection can be established between them, whereby sound can be transmitted from the information processing device to the headphone.
Meanwhile, in conventional technologies, when a peripheral device using Bluetooth described above is to be used at an information processing device, authentication of the peripheral device is not performed. That is, as long as a peripheral device has a profile as described above, any peripheral device can be connected to and used at an information processing device.
Therefore, an object of the present embodiment is to provide a system and the like that can authenticate a peripheral device as described above when the peripheral device is to be used at an information processing device.
In order to attain the above object, the following configuration examples can be conceived, for example.
One configuration example is an information processing system including a server, a communication terminal communicable with the server via the Internet, and a peripheral device capable of performing short-range wireless communication with the communication terminal, and the peripheral device includes a secure storage section and an identification information transmission section. The secure storage section has a secure region in which to store data so as to be accessible by an internal component of the peripheral device. The identification information transmission section is configured to read out certificate data from the secure region and transmit the certificate data to the server, the certificate data being data stored in advance in the secure region and being a certificate which indicates that the peripheral device has been authenticated by a predetermined certificate authority. The server includes a peripheral device authentication section configured to perform authentication, on the basis of the transmitted certificate data, regarding whether the peripheral device is a peripheral device whose connection to the communication terminal is permissible. When the authentication of the peripheral device by the peripheral device authentication section has succeeded, execution of a process that involves transmission and reception of data encrypted according to a predetermined scheme is permitted between the peripheral device and the communication terminal.
According to the above configuration example, when the peripheral device is to be used from a predetermined communication terminal, it is possible to perform authentication regarding whether connection between the communication terminal and the peripheral device is permitted. Accordingly, safety in use of the peripheral device can be enhanced. In addition, since data necessary for the authentication is stored in the secure region, reliability of the data can be ensured and safety in the process regarding the authentication can be ensured. Further, reduction of running cost of the information processing system can also be attained.
Further, as another configuration example, the server may further include an authentication result transmission section configured to transmit to the peripheral device first data based on a result of the authentication when the authentication of the peripheral device by the peripheral device authentication section has succeeded. Then, after first data transmitted from the authentication result transmission section has been received by the peripheral device, a process that involves transmission and reception of data encrypted on the basis of the first data may be executed between the peripheral device and the communication terminal. Further, the authentication result transmission section may generate, as the first data, key data for encrypted communication and transmits the key data to the peripheral device, and a process that involves transmission and reception of data encrypted by use of the key data may be executed between the peripheral device and the communication terminal.
According to the above configuration example, after the result of the authentication of the peripheral device has been received, transmission and reception of encrypted data is enabled between the peripheral device and the communication terminal. Also, as a result of the authentication, key data for the encrypted communication can be used. Accordingly, safety in use of the peripheral device can be enhanced.
Further, as another configuration example, the peripheral device may further include a data transmission section configured to transmit, to the server, predetermined data that is different from the certificate data, and the server may further include a verification section configured to execute, at authentication of the peripheral device, a verification process using the predetermined data transmitted by the data transmission section.
According to the above configuration example, safety in use of the peripheral device can be further enhanced.
Further, as another configuration example, the server may further include: a server certificate storage section having stored therein server certificate data which is data indicating that the server has been authenticated by a predetermined certificate authority; and a server certificate transmission section configured to transmit the server certificate data to the peripheral device. The peripheral device may further include a server authentication section configured to perform authentication regarding authenticity of the server on the basis of the transmitted server certificate data. When both of the authentication of the peripheral device by the peripheral device authentication section and the authentication of the server by the server authentication section have succeeded, execution of a process that involves transmission and reception of data encrypted according to a predetermined scheme may be permitted between the peripheral device and the communication terminal.
According to the above configuration example, authentication of the server can be performed also on the peripheral device side, and thus, safety in use of the peripheral device can be further enhanced.
Another configuration example is an information processing system including a server, a communication terminal communicable with the server via the Internet, and a peripheral device capable of performing short-range wireless communication with the communication terminal, wherein either one of the server and the peripheral device includes: a first data generation section, a first data encryption section, and a first data transmission section. The first data generation section is configured to generate first data. The first data encryption section is configured to encrypt the first data by using a public key of the other one of the server and the peripheral device. The first data transmission section is configured to transmit the first data encrypted by the first data encryption section to the other one of the server and the peripheral device. The other one of the server and the peripheral device includes: a first data reception section and a first data decryption section. The first data reception section is configured to receive the encrypted first data transmitted by the first data transmission section. The first data decryption section is configured to decrypt the received first data by using a private key of the other one of the server and the peripheral device. The server includes: a first key generation section configured to generate, on the basis of the first data, key data to be used in encrypted communication; and a key transmission section configured to transmit the key data to the communication terminal. The peripheral device includes a second key generation section configured to generate the key data on the basis of the first data. Then, a predetermined process that involves transmission and reception of data encrypted by use of the key data is executed between the peripheral device and the communication terminal.
Further, the peripheral device may further include a secure storage section having a secure region in which to store data so as to be accessible by an internal component of the peripheral device, and the private key of the peripheral device may be stored in advance in the secure region.
According to the above configuration example, it is possible to generate key data in each of the server and the peripheral device, on the bases of data which serves as the basis of the key data for encrypted communication to be performed between the peripheral device and the communication terminal. Accordingly, while using a generalized communication terminal, it is possible to reduce the risk of tapping and the like of key data by an illegal application that operates on the communication terminal, for example, and it is possible to enhance safety in encrypted communication to be performed between the peripheral device and the communication terminal.
Another configuration example is an information processing system including a server, a communication terminal communicable with the server via the Internet, and a peripheral device capable of performing short-range wireless communication with the communication terminal. The peripheral device includes a first data generation section, a first data encryption section, and a first data transmission section. The first data generation section is configured to generate first data. The first data encryption section is configured to encrypt the first data by using a public key of the server. The first data transmission section is configured to transmit, to the server, the first data encrypted by the first data encryption section. The server includes a first data reception section, a first data decryption section, a second data generation section, a second data encryption section, and a second data transmission section. The first data reception section is configured to receive the encrypted first data transmitted by the first data transmission section. The first data decryption section is configured to decrypt the received first data by using a private key of the server. The second data generation section is configured to generate second data that is different from the first data. The second data encryption section is configured to encrypt the second data by using a public key of the peripheral device. The second data transmission section is configured to transmit, to the peripheral device, the second data encrypted by the second data encryption section. Further, the peripheral device includes a second data reception section, a second data decryption section, a first key data generation section, and an encrypted communication process execution section. The second data reception section is configured to receive the encrypted second data transmitted by the second data transmission section. The second data decryption section is configured to decrypt the received second data by using a private key of the peripheral device. The first key data generation section is configured to generate key data for encrypted communication, on the basis of the first data generated by the first data generation section and the second data obtained through the decryption. The encrypted communication process execution section is configured to execute transmission and reception of predetermined data by performing encryption using the key data generated by the first key data generation section. The peripheral device may further include a secure storage section having a secure region in which to store data so as to be accessible by an internal component of the peripheral device, and the private key of the peripheral device to be used by the second data decryption section may be stored in advance in the secure region. The first data and the second data may be each a random number. Further, the server may further include: a second key data generation section configured to generate the key data, on the basis of the first data obtained through the decryption and the second data generated by the second data generation section; and a key data transmission section configured to transmit the generated key data to the communication terminal, and the process executed by the encrypted communication process execution section may be a predetermined process that involves transmission and reception, between the peripheral device and the communication terminal, of data encrypted by use of the key data.
According to the above configuration example, it is possible to generate key data by exchanging data serving as the basis for generating key data for encrypted communication between the server and the peripheral device. Thus, while using a generalized communication terminal, it is possible to enhance safety in encrypted communication to be performed between the peripheral device and the communication terminal.
Another configuration example is an information processing system including a server, a predetermined communication terminal, and a peripheral device capable of performing short-range wireless communication with the predetermined communication terminal, wherein the peripheral device includes a first storage section and a first transmission section. The first storage section has stored therein first certificate data which contains a peripheral device public key signed with a first signature key of a predetermined certificate authority, and a server signature verification key which is a key for signature verification regarding the server. The first transmission section is configured to transmit the first certificate data to the server. The server includes a second storage section, a peripheral device verification section, and a second transmission section. The second storage section has stored therein second certificate data which contains a server public key signed with a second signature key of the predetermined certificate authority, and a peripheral device signature verification key which is a key for signature verification regarding the peripheral device. The peripheral device verification section is configured to verify, by using the peripheral device signature verification key, the first certificate data transmitted from the peripheral device. The second transmission section is configured to transmit the second certificate data to the peripheral device when the verification by the peripheral device verification section has succeeded. Further, the peripheral device further includes a server verification section configured to verify, by using the server signature verification key, the second certificate data received from the server. When the verification by the server verification section has succeeded, use of the peripheral device from the predetermined communication terminal is permitted. The peripheral device may further include a secure storage section having a secure region in which to store data so as to be accessible by an internal component of the peripheral device, and the first certificate data may be stored in advance in the secure region.
According to the above configuration example, it is possible to perform control in which use of the peripheral device is permitted after the certificate of the peripheral device has been verified in the server. Thus, safety in use of the peripheral device from a predetermined communication terminal can be enhanced. In addition, since the certificate is stored in the secure region in the peripheral device, modification and the like of the certificate in the peripheral device can also be prevented.
Further, as another configuration example, transmission and reception of data between the peripheral device and the server may be performed via the communication terminal.
According to the above configuration example, the peripheral device itself may not necessarily have a function for providing direct connection to the server, such as Internet connection function, for example. Thus, the manufacturing cost can be reduced, accordingly. In addition, it becomes possible to providing the peripheral device with versatility, thereby allowing the peripheral device to be used in combination with various types of communication terminals.
Further, as another configuration example, communication between the peripheral device and the communication terminal may be performed in the form of Bluetooth communication. Further, the peripheral device may further include: a valid period storing section configured to store therein, as valid period information, a valid period of bonding information which is information to be used when the peripheral device is to be re-connected to a predetermined communication terminal to which the peripheral device has been connected once; and a valid period determination section configured to determine whether the valid period of the bonding information has elapsed, before communication of the peripheral device with the communication terminal is started, and when the valid period determination section has determined that the valid period has elapsed, a process for authenticating the peripheral device may be executed.
According to the above configuration example, while using a highly versatile wireless communication standard, periodic execution of the authentication process for the peripheral device can be realized. In addition, while enhancing convenience, safety in use of the peripheral device can be ensured.
Further, as another configuration example, data transmitted and received between the peripheral device and the server may have been encrypted.
According to the above configuration example, the security strength in the process regarding the authentication of the peripheral device can be enhanced.
Further, as another configuration example, the communication terminal may further include: a request reception section configured to receive a transmission request for a client certificate from the server; and a certificate transmission section configured to transmit the client certificate stored in a storage section of the predetermined communication terminal, to the server in response to the transmission request. The server may further include a client verification section configured to execute a verification process for verifying authenticity of the communication terminal, on the basis of the client certificate transmitted by the certificate transmission section.
According to the above configuration example, authenticity and reliability of the communication terminal which is to serve as the communication counterpart of the server can be confirmed in the authentication process for the peripheral device. Thus, the security strength in the process regarding the authentication of the peripheral device can be enhanced.
Another configuration example is a wireless communication chip capable of performing Bluetooth (registered trademark) communication, the wireless communication chip including a storage section having stored therein certificate data that contains a public key signed with a signature key of a predetermined certificate authority.
Further, the storage section may include a secure region in which to store data so as to be accessible by an internal component of the wireless communication chip, and the certificate data may be stored in the secure region.
According to the above configuration example, it is possible to provide a wireless communication chip having data for proving authenticity thereof, and it is also possible to enhance the reliability thereof by using the secure region.
Another configuration example is a computer-readable non-transitory storage medium having stored therein an application program to be executed by a computer of a communication terminal which is communicable with a predetermined server via the Internet and which is communicable with a peripheral device by using short-range wireless communication, the application program causing the computer to function as: a relay section configured to relay transmission and reception of data performed between the server and the peripheral device; and an encrypted communication processing section configured to encrypt predetermined data and transmit and receive the encrypted data to and from the peripheral device.
According to the above configuration example, it is possible to cause a peripheral device not having a function of providing direct connection to the server, such as Internet connection function, for example, to execute a communication process between the peripheral device and the server. Accordingly, for example, an authentication process for the peripheral device using the server can be realized. Further, since encrypted communication is performed between the peripheral device and the application, the security strength can also be enhanced.
According to the present embodiment, when the peripheral device is to be used, the authentication process for the peripheral device is performed first, and after the peripheral device has been authenticated, permission of use of the peripheral device can be made. Accordingly, safety in use of the peripheral device can be enhanced.